#include <vnet/vnet.h>
#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
+#include <vppinfra/random.h>
#include <vnet/udp/udp.h>
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ikev2.h>
#include <vnet/ipsec/ikev2_priv.h>
#include <openssl/sha.h>
+ikev2_main_t ikev2_main;
+
static int ikev2_delete_tunnel_interface (vnet_main_t * vnm,
ikev2_sa_t * sa,
ikev2_child_sa_t * child);
first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
}
}
- else if (payload == IKEV2_PAYLOAD_IDI || payload == IKEV2_PAYLOAD_IDR) /* 35, 36 */
+ else if (payload == IKEV2_PAYLOAD_IDI) /* 35 */
{
ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
- if (sa->is_initiator)
- {
- sa->r_id.type = id->id_type;
- vec_free (sa->r_id.data);
- vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
- }
- else
- {
- sa->i_id.type = id->id_type;
- vec_free (sa->i_id.data);
- vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
- }
+ sa->i_id.type = id->id_type;
+ vec_free (sa->i_id.data);
+ vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
- clib_warning ("received payload %s, len %u id_type %u",
- (payload == IKEV2_PAYLOAD_IDI ? "IDi" : "IDr"),
+ clib_warning ("received payload IDi, len %u id_type %u",
+ plen - sizeof (*id), id->id_type);
+ }
+ else if (payload == IKEV2_PAYLOAD_IDR) /* 36 */
+ {
+ ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
+
+ sa->r_id.type = id->id_type;
+ vec_free (sa->r_id.data);
+ vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
+
+ clib_warning ("received payload IDr len %u id_type %u",
plen - sizeof (*id), id->id_type);
}
else if (payload == IKEV2_PAYLOAD_AUTH) /* 39 */
+ sa->profile->lifetime;
if (sa->profile->lifetime_jitter)
{
+ // This is not much better than rand(3), which Coverity warns
+ // is unsuitable for security applications; random_u32 is
+ // however fast. If this perturbance to the expiration time
+ // needs to use a better RNG then we may need to use something
+ // like /dev/urandom which has significant overhead.
+ u32 rnd = (u32) (vlib_time_now (vnm->vlib_main) * 1e6);
+ rnd = random_u32 (&rnd);
+
child->time_to_expiration +=
- 1 + (rand () % sa->profile->lifetime_jitter);
+ 1 + (rnd % sa->profile->lifetime_jitter);
}
}